arno
/
trezor-firmware
mirror of https://github.com/trezor/trezor-firmware.git
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a7482f4c6a'
${ noResults }
trezor-firmware/python/src/trezorlib/cosi.py

174 lines
5.9 KiB
Raw Normal View History Unescape

regenerate license headers This clarifies the intent: the project is licenced under terms of LGPL version 3 only, but the standard headers cover only "3 or later", so we had to rewrite them. In the same step, we removed author information from individual files in favor of "SatoshiLabs and contributors", and include an AUTHORS file that lists the contributors. Apologies to those whose names are missing; please contact us if you wish to add your info to the AUTHORS file.
6 years ago
# This file is part of the Trezor project.
#
chore(python): regenerate GNU copyright headers
3 years ago
# Copyright (C) 2012-2022 SatoshiLabs and contributors
regenerate license headers This clarifies the intent: the project is licenced under terms of LGPL version 3 only, but the standard headers cover only "3 or later", so we had to rewrite them. In the same step, we removed author information from individual files in favor of "SatoshiLabs and contributors", and include an AUTHORS file that lists the contributors. Apologies to those whose names are missing; please contact us if you wish to add your info to the AUTHORS file.
6 years ago
#
# This library is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License version 3
# as published by the Free Software Foundation.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the License along with this library.
# If not, see <https://www.gnu.org/licenses/lgpl-3.0.html>.
chore(common): Deprecate data field in CosiCommit message.
2 years ago
import warnings
style: apply black/isort
6 years ago
from functools import reduce
refactor(python): convert firmware parsing to classes
2 years ago
from typing import TYPE_CHECKING, Iterable, Optional, Sequence, Tuple
trezorlib: move ed25519cosi and ed25519raw from trezor-core
7 years ago
style: apply black/isort
6 years ago
from . import _ed25519, messages
trezorlib: split out methods from ProtocolMixin
6 years ago
from .tools import expect
feat(python): add full type information WIP - typing the trezorctl apps typing functions trezorlib/cli addressing most of mypy issue for trezorlib apps and _internal folder fixing broken device tests by changing asserts in debuglink.py addressing most of mypy issues in trezorlib/cli folder adding types to some untyped functions, mypy section in setup.cfg typing what can be typed, some mypy fixes, resolving circular import issues importing type objects in "if TYPE_CHECKING:" branch fixing CI by removing assert in emulator, better ignore comments CI assert fix, style fixes, new config options fixup! CI assert fix, style fixes, new config options type fixes after rebasing on master fixing python3.6 and 3.7 unittests by importing Literal from typing_extensions couple mypy and style fixes fixes and improvements from code review silencing all but one mypy issues trial of typing the tools.expect function fixup! trial of typing the tools.expect function @expect and @session decorators correctly type-checked Optional args in CLI where relevant, not using general list/tuple/dict where possible python/Makefile commands, adding them into CI, ignoring last mypy issue documenting overload for expect decorator, two mypy fixes coming from that black style fix improved typing of decorators, pyright config file addressing or ignoring pyright errors, replacing mypy in CI by pyright fixing incomplete assert causing device tests to fail pyright issue that showed in CI but not locally, printing pyright version in CI fixup! pyright issue that showed in CI but not locally, printing pyright version in CI unifying type:ignore statements for pyright usage resolving PIL.Image issues, pyrightconfig not excluding anything replacing couple asserts with TypeGuard on safe_issubclass better error handling of usb1 import for webusb better error handling of hid import small typing details found out by strict pyright mode improvements from code review chore(python): changing List to Sequence for protobuf messages small code changes to reflect the protobuf change to Sequence importing TypedDict from typing_extensions to support 3.6 and 3.7 simplify _format_access_list function fixup! simplify _format_access_list function typing tools folder typing helper-scripts folder some click typing enforcing all functions to have typed arguments reverting the changed argument name in tools replacing TransportType with Transport making PinMatrixRequest.type protobuf attribute required reverting the protobuf change, making argument into get_pin Optional small fixes in asserts solving the session decorator type issues fixup! solving the session decorator type issues improvements from code review fixing new pyright errors introduced after version increase changing -> Iterable to -> Sequence in enumerate_devices, change in wait_for_devices style change in debuglink.py chore(python): adding type annotation to Sequences in messages.py better "self and cls" types on Transport fixup! better "self and cls" types on Transport fixing some easy things from strict pyright run
3 years ago
if TYPE_CHECKING:
from .client import TrezorClient
from .tools import Address
from .protobuf import MessageType
cosi: typehints, documentation, removed selftest
6 years ago
# XXX, these could be NewType's, but that would infect users of the cosi module with these types as well.
# Unsure if we want that.
Ed25519PrivateKey = bytes
Ed25519PublicPoint = bytes
Ed25519Signature = bytes
trezorlib: move ed25519cosi and ed25519raw from trezor-core
7 years ago
cosi: typehints, documentation, removed selftest
6 years ago
def combine_keys(pks: Iterable[Ed25519PublicPoint]) -> Ed25519PublicPoint:
"""Combine a list of Ed25519 points into a "global" CoSi key."""
trezorlib: mark ed25519 impl as private
6 years ago
P = [_ed25519.decodepoint(pk) for pk in pks]
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
combine = reduce(_ed25519.edwards_add, P)
cosi: typehints, documentation, removed selftest
6 years ago
return Ed25519PublicPoint(_ed25519.encodepoint(combine))
trezorlib: move ed25519cosi and ed25519raw from trezor-core
7 years ago
style: apply black/isort
6 years ago
def combine_sig(
global_R: Ed25519PublicPoint, sigs: Iterable[Ed25519Signature]
) -> Ed25519Signature:
cosi: typehints, documentation, removed selftest
6 years ago
"""Combine a list of signatures into a single CoSi signature."""
trezorlib: mark ed25519 impl as private
6 years ago
S = [_ed25519.decodeint(si) for si in sigs]
s = sum(S) % _ed25519.l
cosi: typehints, documentation, removed selftest
6 years ago
sig = global_R + _ed25519.encodeint(s)
return Ed25519Signature(sig)
style: apply black/isort
6 years ago
def get_nonce(
sk: Ed25519PrivateKey, data: bytes, ctr: int = 0
) -> Tuple[int, Ed25519PublicPoint]:
cosi: typehints, documentation, removed selftest
6 years ago
"""Calculate CoSi nonces for given data.
These differ from Ed25519 deterministic nonces in that there is a counter appended at end.
trezorlib: move ed25519cosi and ed25519raw from trezor-core
7 years ago
cosi: typehints, documentation, removed selftest
6 years ago
Returns both the private point `r` and the partial signature `R`.
`r` is returned for performance reasons: :func:`sign_with_privkey`
takes it as its `nonce` argument so that it doesn't repeat the `get_nonce` call.
trezorlib: move ed25519cosi and ed25519raw from trezor-core
7 years ago
cosi: typehints, documentation, removed selftest
6 years ago
`R` should be combined with other partial signatures through :func:`combine_keys`
to obtain a "global commitment".
"""
cosi: clarify convoluted parts of local signing code
6 years ago
# r = hash(hash(sk)[b .. 2b] + M + ctr)
# R = rB
trezorlib: mark ed25519 impl as private
6 years ago
h = _ed25519.H(sk)
cosi: clarify convoluted parts of local signing code
6 years ago
bytesize = _ed25519.b // 8
assert len(h) == bytesize * 2
r = _ed25519.Hint(h[bytesize:] + data + ctr.to_bytes(4, "big"))
trezorlib: mark ed25519 impl as private
6 years ago
R = _ed25519.scalarmult(_ed25519.B, r)
cosi: typehints, documentation, removed selftest
6 years ago
return r, Ed25519PublicPoint(_ed25519.encodepoint(R))
trezorlib: move ed25519cosi and ed25519raw from trezor-core
7 years ago
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
def verify_combined(
style: apply black/isort
6 years ago
signature: Ed25519Signature, digest: bytes, pub_key: Ed25519PublicPoint
) -> None:
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
"""Verify Ed25519 signature. Raise exception if the signature is invalid.
A CoSi combined signature is equivalent to a plain Ed25519 signature with a public
key that is a combination of the cosigners' public keys. This function takes the
combined public key and performs simple Ed25519 verification.
"""
cosi: typehints, documentation, removed selftest
6 years ago
# XXX this *might* change to bool function
trezorlib: mark ed25519 impl as private
6 years ago
_ed25519.checkvalid(signature, digest, pub_key)
cosi: move things around ed25519raw is moved back to trezorlib ed25519cosi is renamed to cosi, and has a couple more functions, with the expectation that TrezorClient.cosi_* methods will move there. Also most code shouldn't need ed25519raw for anything, so it might get renamed to "_ed25519" to indicate that it's a private implementation. For now, I added a "verify" method to cosi, so that you don't need to call into ed25519raw.checkvalid. But trezor-core's keyctl is also using ed25519raw.publickey. I'm not sure if that's worth replicating in cosi, or whether to just leave it be, so I'm leaving it be for now. Importantly, new function "sign_with_privkey" does that math thing that was part of the selftest and is also explicitly listed in keyctl. (it's called sign_with_privkey because I expect to have a "sign" method here that calls into Trezor)
6 years ago
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
def verify(
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
signature: Ed25519Signature,
digest: bytes,
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
sigs_required: int,
refactor(python): convert firmware parsing to classes
2 years ago
keys: Sequence[Ed25519PublicPoint],
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
mask: int,
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
) -> None:
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
"""Verify a CoSi multi-signature. Raise exception if the signature is invalid.
This function verifies a M-of-N signature scheme. The arguments are:
- the minimum number M of signatures required
- public keys of all N possible cosigners
- a bitmask specifying which of the N cosigners have produced the signature.
The verification checks that the mask specifies at least M cosigners, then combines
the selected public keys and verifies the signature against the combined key.
"""
if sigs_required < 1:
raise ValueError("At least one signer must be specified.")
if mask.bit_length() > len(keys):
raise ValueError("Sigmask specifies more public keys than provided.")
selected_keys = [key for i, key in enumerate(keys) if mask & (1 << i)]
if len(selected_keys) < sigs_required:
raise _ed25519.SignatureMismatch("Insufficient number of signatures.")
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
global_pk = combine_keys(selected_keys)
python/cosi: improve API cosi.verify was renamed to verify_combined, because it is pretty much ed25519.verify, and the new name implies what it does in terms of the CoSi scheme: verify a signature with already-combined public keys. cosi.verify_m_of_n signature was simplified by not requiring the `n` parameter, which is not important for verification. The updated function was renamed to cosi.verify, because this is the standard CoSi verification operation: given signature, digest, required number of signatures, sigmask, and a list of public keys, verify that enough signatures are indicated and that they sign the digest.
4 years ago
return verify_combined(signature, digest, global_pk)
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
cosi: typehints, documentation, removed selftest
6 years ago
def pubkey_from_privkey(privkey: Ed25519PrivateKey) -> Ed25519PublicPoint:
"""Interpret 32 bytes of data as an Ed25519 private key.
style: apply black 20.8b1
4 years ago
Calculate and return the corresponding public key.
"""
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
return Ed25519PublicPoint(_ed25519.publickey_unsafe(privkey))
cosi: publish "pubkey from privkey" operation from ed25519
6 years ago
style: apply black/isort
6 years ago
def sign_with_privkey(
digest: bytes,
privkey: Ed25519PrivateKey,
global_pubkey: Ed25519PublicPoint,
nonce: int,
global_commit: Ed25519PublicPoint,
) -> Ed25519Signature:
cosi: typehints, documentation, removed selftest
6 years ago
"""Create a CoSi signature of `digest` with the supplied private key.
This function needs to know the global public key and global commitment.
"""
cosi: clarify convoluted parts of local signing code
6 years ago
h = _ed25519.H(privkey)
cosi: replace slow djb implementation of ed25519 with an optimized one from https://github.com/pyca/ed25519 This makes the calculations several orders of magnitude faster, which allows us to run the CoSi test in Travis. It also doesn't stop firmware update for several seconds while we validate the CoSi signatures. It's still essentially the same insecure implementation, fallible to all the same timing attacks, and it shouldn't be used for anything except validating public signatures of public data. But now it also takes about as much time as it should on modern hardware.
6 years ago
a = _ed25519.decodecoord(h)
cosi: clarify convoluted parts of local signing code
6 years ago
trezorlib: mark ed25519 impl as private
6 years ago
S = (nonce + _ed25519.Hint(global_commit + global_pubkey + digest) * a) % _ed25519.l
cosi: typehints, documentation, removed selftest
6 years ago
return Ed25519Signature(_ed25519.encodeint(S))
trezorlib: split out methods from ProtocolMixin
6 years ago
style: bare excepts, left-over bad imports
6 years ago
# ====== Client functions ====== #
trezorlib: split out methods from ProtocolMixin
6 years ago
@expect(messages.CosiCommitment)
chore(common): Deprecate data field in CosiCommit message.
2 years ago
def commit(
client: "TrezorClient", n: "Address", data: Optional[bytes] = None
) -> "MessageType":
if data is not None:
warnings.warn(
"'data' argument is deprecated",
DeprecationWarning,
stacklevel=2,
)
return client.call(messages.CosiCommit(address_n=n))
trezorlib: split out methods from ProtocolMixin
6 years ago
@expect(messages.CosiSignature)
feat(python): add full type information WIP - typing the trezorctl apps typing functions trezorlib/cli addressing most of mypy issue for trezorlib apps and _internal folder fixing broken device tests by changing asserts in debuglink.py addressing most of mypy issues in trezorlib/cli folder adding types to some untyped functions, mypy section in setup.cfg typing what can be typed, some mypy fixes, resolving circular import issues importing type objects in "if TYPE_CHECKING:" branch fixing CI by removing assert in emulator, better ignore comments CI assert fix, style fixes, new config options fixup! CI assert fix, style fixes, new config options type fixes after rebasing on master fixing python3.6 and 3.7 unittests by importing Literal from typing_extensions couple mypy and style fixes fixes and improvements from code review silencing all but one mypy issues trial of typing the tools.expect function fixup! trial of typing the tools.expect function @expect and @session decorators correctly type-checked Optional args in CLI where relevant, not using general list/tuple/dict where possible python/Makefile commands, adding them into CI, ignoring last mypy issue documenting overload for expect decorator, two mypy fixes coming from that black style fix improved typing of decorators, pyright config file addressing or ignoring pyright errors, replacing mypy in CI by pyright fixing incomplete assert causing device tests to fail pyright issue that showed in CI but not locally, printing pyright version in CI fixup! pyright issue that showed in CI but not locally, printing pyright version in CI unifying type:ignore statements for pyright usage resolving PIL.Image issues, pyrightconfig not excluding anything replacing couple asserts with TypeGuard on safe_issubclass better error handling of usb1 import for webusb better error handling of hid import small typing details found out by strict pyright mode improvements from code review chore(python): changing List to Sequence for protobuf messages small code changes to reflect the protobuf change to Sequence importing TypedDict from typing_extensions to support 3.6 and 3.7 simplify _format_access_list function fixup! simplify _format_access_list function typing tools folder typing helper-scripts folder some click typing enforcing all functions to have typed arguments reverting the changed argument name in tools replacing TransportType with Transport making PinMatrixRequest.type protobuf attribute required reverting the protobuf change, making argument into get_pin Optional small fixes in asserts solving the session decorator type issues fixup! solving the session decorator type issues improvements from code review fixing new pyright errors introduced after version increase changing -> Iterable to -> Sequence in enumerate_devices, change in wait_for_devices style change in debuglink.py chore(python): adding type annotation to Sequences in messages.py better "self and cls" types on Transport fixup! better "self and cls" types on Transport fixing some easy things from strict pyright run
3 years ago
def sign(
client: "TrezorClient",
n: "Address",
data: bytes,
global_commitment: bytes,
global_pubkey: bytes,
) -> "MessageType":
style: apply black/isort
6 years ago
return client.call(
messages.CosiSign(
address_n=n,
data=data,
global_commitment=global_commitment,
global_pubkey=global_pubkey,
)
)